Physicians access to medical records versus HIPAA Compliance

Access restrictions for physicians

People are wondering sometimes if there is an opinion on Physicians access patients they are not on record for.

Quite often in a Meditech C/S hospital they allow Physicians access to all patients but they currently prompt the Physician with a screen when the attempt to access a Patient they aren't a named Physician on. They refer to this as “breaking the glass”.
All of this gets audited and recorded in their logs.

But there is the ability to change the prompt that happens everytime, to a first-time only, so when a physician hits a record that they are “primary care” on, it will prompt them once but then won’t prompt them afterwards.

The physician community doesn’t like having to break the glass each time they access the record, its impeding physician response time and patient care and would like to reduce to a first-time break.

An example, an Emergency Doc takes on a patient in the ED and wants to see their information but has not be assigned to the patient, every time they look at the Electronic Medical Record, it has to break the glass, if Meditech changes it then it would only do the initial time.

Additionally - it’s logged as a breaking the glass each time they access it.

It is believed the breaking the glass is a non-repudiation method that won’t get eliminated, it just gets reduced by changing from everytime to first-time. The question is how the physicians access the patients records in this manner comply with HIPAA and is this law to have them ‘breaking the glass’ each time like this?

Constant breaking the glass in view of HIPAA compliance audits

If you are tracking access to these patients even after the breaking the glass process then you should be covered if you only notify the physician once. Probably it could be more proactive in monitoring these occurrences when completing a HIPAA audit but see no benefit in making them go through the notification process each time they try and access a patient where they are not the physician of record.

As an aside, there are a lot of issues that are becoming more pressing since the introduction of HIPAA. One of these is the fact that hospitals and other health care organizations that have systems that require a physician, nurse, therapist or other staff member to enter a user name and password to get to patient information don’t only have to remember their user name and password for one facility, but often must have one for each facility they work in and even for multiple systems within the facility.

It would be good practice to go as easy on the staff has possible while still providing patient privacy since we are really putting some pretty big and aggravating barriers in front of providers of all kinds who need to gain access to patient information.

There are some facilities that have a system that physicians log onto when they come into the facility. This system provides them with a variety of notices, message and medical staff updates. They then have to log onto the Cerner system for clinical, the dictation system to hear reports that have been dictated by not transcribed, and if they want to view radiology images yet another system. To say they are frustrated with this one facility is an understatement but when you listen to them describe having different log on credentials for their office, the two hospitals in town, the radiology viewing system...you get the point.

In all probability the physicians requesting access are “covered entities”, and consequently they are beholden to the law: they are precluded from (even) requesting PHI for purposes not allowed by HIPAA. And given that the Security rules are “scalable”, if a reasonable argument can be made for providing the physicians access (as described in the scenario, below) then so be it, and especially so, if the process promotes good clinical care.

We believe that HHS is very cognizant of the medical errors caused by inhibited communications that kill people in hospitals (as many as 50-100K deaths per year by NIH estimates), and so too should be the IT professionals that implement “reasonable” access controls.

Mutual agreement

The reasonable compromises that solves the problem from one hand and does comply with HIPAA rules is to have them break the glass once when they go in to view a patient record for which they are not a provider of record, but you should do still audit their accesses after that point. They have to put on record exactly WHY they are accessing the patient when we don’t list them as a provider of record, as well. There are four canned reasons, along with an “other, please explain in comments”, that they can choose.

This is not something that should be allowed the office staff for the physicians to do, though. They are still restricted to the patients whose providers of record are listed as being within their group.

There is also need in continuing to do education for the physicians to remind them why they are asked to remember passwords (for example). You should get feedback from them about what is & isn’t working (do surgeons have difficulty getting the information they need about emergency cases, for example) and you can work to alleviate those problems if you can.